script-src origin
The script's origin ('self') is listed in script-src. The browser fetches and runs it — no nonce or hash needed on the tag itself, just the origin. In production, a CDN URL like https://cdnjs.cloudflare.com would be listed instead.
Response header
Content-Security-Policy: script-src 'self'Script tag in page source
<script src="/javascripts/sdk.js"></script>
Result
( ._.)